
Last month I wrote an article about the Ransomware group Black Basta and how they had been leveraging Remote Desktop tools like TeamViewer, AnyDesk and more notably Quick Assist, which is Microsoft’s own Remote Desktop utility. In general it is strongly recommended to block such apps if there is absolutely no business need to have them installed in your organisations environment. However, what if you do need these tools in your organisation, a common use case is to allow support desk to help troubleshoot users machines remotely, especially with the rise in Remote/Hybrid working since the pandemic.
This short blog determines your organisation wants to monitor the use of Quick Assist, as this is the built in tool already available in Windows. Quick Assist itself does not generate any logs, so do you go about detecting use of Quick Assist if it does not generate any logs. If you are using an EDR tool like Microsoft Defender for Endpoint, you could write a KQL query that looks for QuickAssist.exe process, however, this will trigger every time someone simply launches Quick Assist, not necessarily when they are actually using it, so is prone to False Positives that could hinder your SOC team.
In my research, when testing out a remote connection from one machine to another, the client machine (the machine that you remotely connect to) has to enter a code given by the user from the host machine. When the user enters this code in the client machine, it essentially makes a remote URL connection to “https[:]//remoteassistance[.]support[.]services[.]microsoft[.]com” to establish the connection. As such, we can write simple, custom KQL query that will allow you to monitor this type of activity. You could then build an alert, so you are notified and your SOC team can verify with the users whether this is legitimate activity or not.
To detect this type of activity, simply use the below KQL query, which you can then use to create an alert from:
DeviceNetworkEvents
| where RemoteURL contains "https://remoteassistance.support.services.microsoft.com"
This isn’t a fool proof detection, if someone where to simply connect to that URL from their browser, it will be picked up by the KQL, but in reality, there’s no real reason for anyone to be going to this URL unless they are using the Quick Assist tool to establish a remote connection, as such this should be fairly low noise.